External User cannot connect to share when connected to their domain network
Hi,
We have a user that works for our parent company that uses IPSEC VPN to connect to our network to access network shares. When he is on their domain network he can connect to our network using VPN but is unable to access DFS shares.
The error is "Windows cannot access \\domain\data\shareName"
I asked the user to connect to mobile hot spot and try again. He was able to connect to all shares. I confirmed the IP address ranges for their network, our VPN and our internal network and the ip address ranges do not conflict. The domain prefix is set in the VPN profile.
Why would this user be able to connect when on a mobile hot spot and not on their internal domain network?
Thanks.
Beau
0
Sign In to comment.
Answers
Is there a domain trust set up between both domains?
Can he access by IP addr?
There is no domain trust between domains. It used to work just fine. The only thing I needed to get it to work initially on his end was to add the domain prefix to the VPN profile. The only change on our end recently is we switched to new ISP and have a new IP address. No changes have been made to the VPN profile other than IP address it is connecting to. Not sure if there have been changes on the client end.
I am having the user test with IP address while in the office and will report back. Seems to work ok while not in the office.
While not in the office, the user's device is not connected to your domain.
He works for another company and is never connected to our domain. When he is in his office (in another country) and connected to their domain network he can connect to the VPN but not the shares. If he connects to a Wifi hot spot on his cell phone instead of their domain network he can connect to the VPN and access any share.
Hope this clears things up a bit.
I forgot to mention that the shares are DFS shares. The user cannot access the shares using the namespace when the user is in the office but they work when not in the office. When in the office the user can access the shares using the ip address of the servers or the FQDN of the server with the share.
As a workaround for now I created shortcuts to each share using: FQDN\share
So there is some kind of issue with the domain name not being used even though I added it to the VPN profile.
Hi @Beau
Windows will try to resolve domain names via all configured DNS servers -- if they're getting a bad response via DNS for that domain very quickly, that might be part of your issue.
I'd suggest having the user try looking those names up in each scenario and see what responses they get.
-James Carson
WatchGuard Customer Support
Hi,
If I use the FQDN of the actual server the shares are hosted on he can connect. It seems the domain is being resolved properly as he can see the list of all the DFS shares he has access to.It appears the issue is when using the DFS shares the path to the actual share does not have the domain name. It is just the server name itself. The domain name is listed in the dns server settings in the VPN profile. I figure that is why it works when not connected to the domain network.
Another thing I can maybe do is redo the folder targets for the DFS shares and include the FQDN of each server.
Hi @Beau
I'd suggest opening a support case -- one of our support reps can take a look at the issue in more detail with you. You can open a support case by clicking the support center link at the top right of this page.
Thank you,
-James Carson
WatchGuard Customer Support